The Hacker News — Cyber Security, Hacking, Technology News

The hacktivist group Anonymous has reportedly taken down the official website of the Israeli intelligence agency Mossad against Israel’s military incursion in Gaza, which has resulted in hundreds of civilian casualties. The government of Israel has yet to comment on the Mossad hack attack.

The ‘Hacktivists’ were able to take down Mossad’s website in a Distributed Denial of Service (DDoS) attack early morning, claims a statement on one of the Anonymous hacker’s Twitter account. The attack on the website is supposed to be severe as it has been over 10 hours and the site is still down at the time of writing.

OPERATION SAVE GAZA

The Anonymous group has already targeted a number of other Israeli organizations as part of a campaign titled “Operation Save Gaza” in the mission to stop this “massacre.”

Anonymous group has also claimed responsibility of taking down multiple Israeli government sites following the death of one of the organization’s members. The member named Tayeb Abu Shehada, a 22-year-old, was killed during a protest in the village of Huwwara in the West Bank by Israeli forces over the weekend.

ANONYMOUS TOOK DOWN THOUSANDS OF ISRAELI WEBSITES

The hacktivist group launched a hacking campaign Operation Save Gaza against Israeli government coinciding with the Israel’s Operation Protective Edge on July 7. Since then, Anonymous group have taken down “thousands” of Israeli-based websites including Israel’s Defence Ministry and the Tel Aviv Police websites.

“We are calling upon the Anonymous collective, and the elite hacker groups to join our crusade, and to wage cyber war against the state of Israel once more,” said a public statement from the group posted online last Friday. "As a collective 'Anonymous' does not hate Israel, it hates that Israel's government is committing genocide & slaughtering unarmed people in Gaza to obtain more land at the border."

As the news broke that hundreds of “Israeli government home pages have been replaced by graphics, slogans, and auto-playing audio files,” Anonymous claimed responsibility for the attacks, further releasing 170 log-in details last Monday which they claimed belonged to Israeli officials.

PREVIOUS ATTACKS

Two years ago, the same group launched hundreds of attacks on Israeli sites with #OpIsrael targeting Israeli websites, during the Israeli Defense Force’s (IDF) previous operation ‘Pillar of Defense’ in Gaza.

The Israeli Foreign Ministry’s data was completely wiped out and the group was able to leak the data of 5,000 Israeli officials as well as hacked into the Israeli Deputy Premier’s Facebook and Twitter accounts, thereby replacing it with pro-Palestinian messages.

Also a year back, the group claimed to have attacked 100,000 websites, stating that their attacks had caused $3 billion in damages to Israel.

Pretty good news for privacy-oriented people! BitTorrent unwraps its new instant messaging program that doesn’t store your metadata and helps you with encrypted communication to keep your online conversations private, whether its voice or text communications.

BitTorrent named its Online chat service as "Bleep", a decentralised peer-to-peer voice and text communications platform that offers end-to-end encryption, therefore is completely safe from the prying eyes. In order to spread users’ voice and text conversations, Bleep make use of the BitTorrent distributed network rather than a centralised server.

"We never see your messages or metadata," said Jaehee Lee, the senior product manager for Bleep, in a blog post announcing the new app on Wednesday. "As far as we're concerned, anything you say is 'bleep' to us."

Bleep chat application promises security and privacy of your conversations that go through different nodes of encrypting instant message traffic by using the same decentralized approach which is behind torrents.

According to the Bleep project head Farid Fadaie, there are two main components to its architecture:

The new peer-to-peer communication platform, which was built on a fully distributed Session Initiation Protocol (SIP) server engine.

The User Interface, a chat-and-voice-enhanced application that will be continuously updated over time to provide a great messaging experience.

"BitTorrent does not track or store information on who is communicating with whom, or when communications happen," Fade said in a post. "We are not even storing data temporarily on servers and then deleting it. We never have the meta data in the first place. Person A finds Person B through other nodes in the network. We never track or store who is looking for whom."

Till now, there is no possible security or privacy weaknesses listed by the company, but if attackers could succeeded in spoofing nodes of the BitTorrent traffic, they would intercept or redirect communications.

BitTorrent chat app uses secure encryption protocols such as curve25519, ed25519 , salsa20, poly1305, and others for end to end encryption of whole communications, which according to him, "should be the new normal in the post-Snowden era".

It is very simple to use. You can sign up now with an email address, phone number, or even as unlisted so that you don't have to provide any personal identifiable information. After that you can invite your friends and can also import your Google address book.

OTHER ENCRYPTED CHAT PLATFORMS

Instant messaging apps that offers end-to-end encryption have surfaced fast in the wake of NSA revelations made by global surveillance whistleblower Edward Snowden.

One such promising service is Invisible.IM chat service, an anonymous Instant Messenger (IM) that leaves no trace as it is supposed to use the Tor anonymizing network to distribute chatter wrapped in OTR encryption.

Also Tor Browser Bundle is currently working on a new Privacy tool called 'Tor Instant Messaging Bundle' (TIMB), that will help you with encrypted communication to keep your online conversations private.

Earlier this month, the founder of the Social Networking giant highlighted the future of universal Internet access, the dream that Facebook founder Mark Zuckerberg wants to fulfil, in an effort to make Internet access available to everyone across the world just like a service as essential as of 911 in the case of an emergency.

Dream comes true!Facebook Inc. (FB) in partnership with Bharti Airtel Ltd. (BHARTI) of India today launches its first Android and web application with free data access to a wide range of services, according to Guy Rosen, a product management director at Facebook.

This new offering from Facebook is launching in Zambia before coming to other developing countries eventually, and provided through a mobile application known as Internet.org, named after a project developed by the world’s biggest social networking site to expand Internet access to the developing world.

“Right now, only 15% of people in Zambia have access to the internet, Zuckerberg said via FB post. “Soon, everyone will be able to use the internet for free to find jobs, get help with reproductive health and other aspects of health, and use tools like Facebook to stay connected with the people they love.”

According to Zuck, today 2.7 billion people, just over one-third of the world's population, have access to the Internet, and the adoption has been growing at a very lower rate, by less than 9% each year. The rest of the world’s 5 billion people who do not have access to Internet are lacking access due to issues such as high costs or improper infrastructure and he thinks that 90% problem of the world’s population isn’t a lack of a network but lack of affordable data plans.

Internet.org—a global partnership launched by Zuckerberg last year, along with other major information-technology leaders as well as nonprofit organizations and local communities—plans to bring those 5 million people who are without Internet access into the Digital Age.

Internet.org app will offer some basic services to Airtel customers without incurring any data charges. It will include access to Facebook, Messenger, Wikipedia, and Google Search, along with Accuweather, local news, health information and employment services.

“Over 85% of the world’s population lives in areas with existing cellular coverage, yet only about 30% of the total population accesses the internet,” Internet.org product management director Guy Rosen wrote in a blog post.

“Affordability and awareness are significant barriers to internet adoption for many and today we are introducing the Internet.org app to make the internet accessible to more people by providing a set of free basic services.”

Although the service is limited only to Airtel users in Zambia, but according to Facebook it’s just an initial move, the bigger approach is yet to come. The goal of the biggest social networking site is to bring the service all over the world.

“This is a big step forward in achieving the mission of Facebook and Internet.org,” Zuckerberg said. “We're looking forward to bringing free basic services to more countries soon.”

On the whole, it is reasonable to expect that giving poor people access to Internet and possibility of connecting with people anywhere around the world will be socially transforming the life in a very positive way.

Just few days after the announcement that Russian government will pay almost 4 million ruble (approximately equal to $111,000) to the one who can devise a reliable technology to decrypt data sent over the Tor, now the government wants something which is really tough.

APPLE & SAP, HAND OVER YOUR SOURCE CODES

Russian government has asked Apple to provide the access to the company’s source code in an effort to assure its iOS devices and Macintoshes aren’t vulnerable to spying. Not just this, the government has demanded the same from SAP as well, which is an enterprise software that manages business operations and customer relationships.

Russia proposed this idea last Tuesday when Communications Minister Nikolai Nikiforov met SAP’s Russian managing director Vyacheslav Orekhov, and Apple’s Russian general manager Peter Engrob Nielsen, and suggested that both the companies give Russian government access to their source code.

APPLE iOS BACKDOOR CONTROVERSIES

The idea came just a week after a security researcher Jonathan Zdziarski accused Apple of building surveillance backdoors into iOS devices to help government spy on Apple users, though Apple denies the claim saying, it “has never worked with any government agency from any country to create a backdoor in any of our products or services.”

Russia also expressed too much of concerns about the NSA surveillance program leak by former NSA contractor Edward Snowden.

Since after the NSA leak, foreign experts and security researchers believe that U.S. government-backed software encryption standards that help the U.S. intelligence agency NSA to spy on people quite effortlessly.

"Edward Snowden's revelations in 2013 and U.S. intelligence services' public statements about the strengthening of surveillance of Russia in 2014 have raised a serious question of trust in foreign software and hardware," Nikiforov said in the statement released late on Tuesday by Reuters.

“It is obvious that those companies that disclose the source codes of their programs are not hiding anything, but those who do not intend to cooperate with Russia in this regard may have products with undeclared capabilities in their products,” he added. noting that Microsoft has been releasing its source code since 2003.

RUSSIA PREFERRED SAMSUNG OVER APPLE SMARTPHONES
It’s not the only example that shows Russian government is wary about US-made tech products. Last March, Russian government banned the Members of its cabinet from using iPads and suggested them to use Samsung tablets instead, the Moscow Times reports.

Placed a competition, when Russian government wants to crack Tor anonymizing network, an encrypted anonymizing network used by online users in order to hide their activities from law enforcement, government censors, and others. But, what the government will do now? When it wants the access to the source code of a company who never provided it.

A critical vulnerability in Tor— an encrypted anonymizing network considered to be one of the most privacy oriented service, which is used by online users in order to hide their activities from law enforcement, government censors and others — was probably being used to de-anonymize the identity of Tor users, Tor project warned on Wednesday.

115 MALICIOUS ToR RELAYS WERE DE-ANONYMIZING USERS

According to a security advisory, Tor Team has found a group of 115 malicious fast non-exit relays (6.4% of whole Tor network), those were actively monitoring the relays on both ends of a Tor circuit in an effort to de-anonymize users.

"While we don't know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected," Tor said.

When you use Tor anonymizing network, your IP address remains hidden and it appears that your connection is coming from the IP address of a Tor exit relay or nodes, making it very difficult for anyone — malicious actor or a government spy agency — to tell where traffic is coming from and going to.

All the identified malicous relays were running Tor version 50.7.0.0/16 or 204.45.0.0/16 for over 5 months this year. According to the team, these evil relays were trying to de-anonymize Tor users who visit and run so-called hidden services on Deep Web i.e. “.onion”.

UPGRADE TO LATEST TOR RELEASE

Tor Project leaders urged Tor relay operators to upgrade Tor software to a recent release, either 0.2.4.23 or 0.2.5.6-alpha, in order to close the critical vulnerability that was actively being exploited in the wild.

Tor team has now successfully removed all identified malicious relays from its Network and advised hidden service operators to change the location of their hidden service.

TAILS OS FLAW TO DE-ANONYMIZE USERS

Just few days back, we reported about a similar issue in TAILS OS, a privacy and security dedicated Linux-based operating system. A critical zero day vulnerability was discovered by the researcher at Exodus Intelligence that could help attackers or law enforcements to de-anonymize anyone’s identity. Researcher said the flaw actually lies in the I2P software that’s bundled with the Operating System.

However, Exodus Intelligence is working with the the Debian-based Linux distribution - Tails and I2P coders to get the patch soon.

RUSSIA OFFERS $114,000 FOR CRACKING ToR

Till now, Tor network was major target for U.S National Security Agency and FBI, but something quite creepy also came into limelight just after the zero-day flaws discovered in the Tails operating system.

The Russian government also wants to crack Tor anonymizing network for which it is offering almost 4 million ruble (approximately equal to $111,000) for successful exploit.

ToR FLAW RELATED TO CANCELED BLACKHAT TALK?
The vulnerability could be related (but not for sure) to the research done by Alexander Volynkin and Michael McCord from Carnegie Mellon University i.e “Attacking Tor and de-anonymizing users”, which was originally scheduled to be delivered at Black Hat USA Conference this year. But unfortunately their talk was cancelled two weeks before, because their material had not been approved by the SEI for public release.

Two days ago, we reported at The Hacker News about a critical issue in the most popular image and video sharing service, Instagram app for mobiles, that allows an attacker to hijack users’ account and successfully access private photos, delete victim's photos, edit comments and also post new images.

Yesterday, a London developer Stevie Graham has released a tool called “Instasheep” a play on the 2010 Facebook stealer Firesheep, a Firefox extension that can be used to compromise online accounts in certain circumstances automatically using a click of mouse.

Graham discovered the Instagram issue years ago and was shocked when he realized it hadn’t been fixed by Facebook yet. He released the tool after claiming Facebook refused to pay a bug bounty for his reported vulnerabilities affecting the Instagram iOS mobile application.

The largest social networking giant Facebook was reportedly aware of the issue related to its Instagram iOS app and was working on a fix by deploying HTTPS across its portfolio, but still it is not clear that how much time it will take.

The right use of vulnerability could expose iOS app users to man-in-the-middle (MitM) attacks as we earlier said Instagram sends some unencrypted data with the session cookie. An attacker could then reuse these intercepted HTTP session cookies on another system/browser to hijack the session of the victim's Instagram account.

"I don't agree the barrier to exploit is high. All it takes is one sufficiently skilled person to release a tool so simple even a script kiddie can use it. At that point Pandora's Box has been blown apart,” Graham wrote on YCombinator.

Instagram co-founder Mike Krieger has responded to issue via the same YCombinator website and said, “We’ve been steadily increasing our HTTPS coverage–Instagram Direct, for example, which we launched in late 2013, is 100% HTTPS. For the remainder of the app, especially latency-sensitive read endpoints like the main feed and other browsing experiences, we’re actively working on rolling out HTTPS while making sure we don’t regress on performance, stability, and user experience. This is a project we’re hoping to complete soon, and we’ll share our experiences in our eng blog so other companies can learn from it as well.”

Graham rolled out an “Instasheep” tool automating process in order to force Facebook’s hand, although the company ought to speed up its efforts on deploying HTTPS.

Good News for Privacy Lovers!! An open source software group Open Whisper Systemshas released the first free and Open Source phone call application for iPhone users, which is specifically designed to make secure and encrypted calls.

When we talk about the privacy of our messages and voice calls, Open Whisper Systems has usually a very strong track record. Whisper is the company behind the development of RedPhone and TextSecure for Android, providing encrypted calls and texts respectively to users. Moving on to iOS devices, the company decided to produce simplest and easiest interfaces yet.

Better known as Signal, a free iOS app designed to enable easy and strongly encrypted voice calls. The Signal application for iPhone is completely compatible with OWS’s time-tested and well-known RedPhone. Eventually, Signal will be a combination of both RedPhone and TextSecure in a single Android application, according to a blog post.

Signal makes use of end-to-end encryption which helps secure iPhone conversations so that any third-party can’t listen the voice conversation. All calls through Signal app function just like any normal phone call using WiFi or Internet connection, but it uses a caller's standard phone number to make and receive calls.

HIGHLIGHTED FEATURES

Free: Signal is Free to install and use. As we know, there is a huge market out there that offers many voice call encryption products for different platforms, but most of them are not cheap or free.

Open Source App: Signal is an open source that means its code is available to all, so it gives app developers opportunity to verify the app’s integrity. This feature is very important because of the concerns that software vendors have been forced to add “backdoors” into their products in order to assist government surveillance programs.

High Privacy: Signal provides end-to-end encryption of voice calls over a data connection.

HOW TO SET UP

Installing Signal to your devices requires some simple steps. You have to just verify the device’s phone number through a one-time code that is sent to you via an SMS. The app will display only the contact details of those user who has installed Signal.

Signal uses ZRTP, a widely-used secure voice communication protocol and sends push notifications when phone calls are received to save battery life. The app displays two words on the screen during a voice call, these words are meant to be verified with the end user to avoid any man-in-the-middle (MitM) attack. If they don’t match, it’s a sign of a MitM attack.

Washington-based software firm Silent Circle, offers encrypted calling and texting services for a monthly subscription, and is a partner in Geneva-based SGP Technologies which makes the BlackPhone, a security minded device released last month that offers ‘PrivatOS’, an Android based operating system which will allow users to make and receive secure phone calls, exchange secure texts, encrypted file storage, secure video chat, browse privately, and anonymize your activity through a VPN (virtual private network).

Due to the majority in the mobile platform, Google’s Android operating system has been a prior target for cybercriminals and a recently exposed weakness in the way the operating system handles certificate validation, left millions of Android devices open to attack.

Researchers at BlueBox security, who identified the vulnerability, dubbed the flaw as Fake ID, which affects all versions of Android operating system from 2.1 (released in 2010) up to Android 4.4, also known as KitKat.

ALL VERSIONS ARE VULNERABLE UPTO KITKAT

Researchers marked the vulnerability as critical because it could allow a fake and malicious app to masquerade as a legitimate and trusted application, enabling an attacker to perform various actions such as inserting malicious code into a legitimate app, infiltrating your personal information or even take complete control of an affected device. Specifically, devices running the 3LM administration extension are at risk for a complete compromise, which includes devices from HTC to Pantech, Sharp, Sony Ericsson, and Motorola.

"Every Android application has its own unique identity, typically inherited from the corporate developer's identity," Bluebox CTO Jeff Forristal wrote in a blog post published Wednesday. The bug, however, will copy the identifies and use them "for nefarious purposes."

WHAT IS “FAKE ID” ANDROID VULNERABILITY

Researchers named the flaw "Fake ID" because it allows malicious applications to pass fake credentials to Android OS, which fails to properly verify the application's cryptographic signature. Instead, the operating system grants all the access permissions to the rogue application that it grants to the legitimate app.

Actually, in order to establish the identity of the app developer, Android applications are signed using digital certificates. But due to the claimed Fake ID vulnerability, the Android app installer doesn’t try to authenticate the certificate chain of a given app, which means an attacker can built an app with a fake identity and impersonate it with extensive privileges such as an Adobe plug-in or Google Wallet.

IMPACT AND EXAMPLES

In the case of Adobe, the malware app would look like Adobe-trusted code and have the ability to escape the sandbox and run malicious code inside another app, the researchers said.

“For example, an attacker can create a new digital identity certificate, forge a claim that the identity certificate was issued by Adobe Systems, and sign an application with a certificate chain that contains a malicious identity certificate and the Adobe Systems certificate,” the Bluebox researchers said in a post explaining their discovery.

“Upon installation, the Android package installer will not verify the claim of the malicious identity certificate, and create a package signature that contains the both certificates. This, in turn, tricks the certificate-checking code in the webview plugin manager (who explicitly checks the chain for the Adobe certificate) and allows the application to be granted the special webview plugin privilege given to Adobe Systems – leading to a sandbox escape and insertion of malicious code, in the form of a webview plugin, into other applications.”

TARGETING GOOGLE WALLET PAYMENT SYSTEM

Researchers also pointed out one more target of an attacker exploiting the Fake ID vulnerability i.e. Google's own Wallet payment system. A malicious app with signature of Google Wallet would allow an attacker to access the NFC (Near Field Communications) chip in the device.

The NFC chip in the device is responsible for the storage of payment information used in NFC payments via Google Wallet. This NFC is used in various electronic payment applications and a malicious code can harvest credit card numbers as well.

According to Jeff Forristal, the attackers have more ways to exploit Fake ID vulnerability, a bug that he will discuss in a presentation at Black Hat in Las Vegas next week.

PATCH RELEASED, BUT YOU CAN'T GET IT IMMEDIATELY

Google already released a patch to its partners in April. However, it still leaves a millions of handsets out there that are still vulnerable, as it’s up to the carriers themselves to push the updates to users.

The vulnerability resides in the Android operating system therefore the new update would be available for the users in the coming period, may be today, a month after or could take a year.

As the researchers say, Effectively addressing a vulnerability requires a three step process:

Google produces a generic code fix, which it provides to the Android phone manufacturers

Then phone manufacturers must then incorporate that fix into a firmware update suitable to specific phones, which they provide to carriers

The carrier then distributes the final update, which ensures your phone is safe from the vulnerability As regards Fake ID, Google has provided the generic code fix to the phone manufacturers.

Bluebox Security is the same company that uncovered the so-called Android "Master Key" vulnerability that allowed an attacker to modify any legitimate and digitally signed application in order to transform it into a Trojan program that could then be used to steal device’ information or take control of the device.

Scammers have again targeted more than one billion active users of the popular social networking giant Facebook, to infect as many victims as possible.

Not by serving fake post, neither by providing malicious video link, instead this time scammers have used a new way of tricking Facebook users into injecting or placing malicious JavaScript or client-side code into their web browsers.

This malicious code could allow an attacker to gain access to victims’ accounts, thereby using it for fraud, to send spams, and promoting further attacks by posting the scam on timeline to victims’ friends. This technique is known as Self Cross-site Scripting or Self XSS.

Self-XSS (Self Cross-Site Scripting) scam is a combination of social engineering and a browser vulnerability, basically designed to trick Facebook users’ into providing access to their account. Once an attacker or scammer gets access to users’ Facebook account, they can even post and comment on things on users’ behalf.

In order to infect Facebook user, the cyber crooks send a phishing message via an email or a Facebook post from one of the friends in the list of the targeted victim claiming, in this case, a way to hack any Facebook user by following some simple steps.

The posted scam looks as follows:

Hack any Facebook account following these steps:
1. Go to the victim’s profile
2. Click right click then click on inspect element and click the “Console” tab.
3. Paste the code into the box at the bottom and press Enter.
The code is in the web site: http://textuploader .com****/
Good luck: *
Don’t hurt anybody…

They want you to follow the given instructions by copy and pasting the malicious code, as given in the above instructions, for taking over someone else’s account. The trick is suitable for both Google Chrome and Mozilla Firefox users.

Once you self inject this malicious script to your account, it will give away the access of your whole account to the one who could do a variety of malicious activities, basically spreading all sorts of malicious campaigns. The hackers can also infect victim’s computer with malware that can collect banking details and send them to a remote location controlled by them.

Facebook has also listed the scam on the list of threats its users have been observed to fall victim to. “Scammers who use Self-XSS usually trick you by promising to help you hack somebody else's account,” reads the post. “The scammer's goal is to get you to run their malicious code on your computer. When you run their code, you grant the scammer access to your account for fraud, spam, and tricking more people into running the scam.”

Spotting these scams and reporting them are the best way to protect yourself, but if you fall victim to one of these attacks, don't panic! Follow the link to learn more about protecting your Facebook account.

Facebook is also working with various browser vendors to add protection in the browser in an effort to prevent this vector from being exploited.

Not just this, the hackers were also able to nab plans regarding other missile interceptors, including Unmanned Aerial Vehicles, ballistic rockets and the Arrow III missile interceptor which was designed by Boeing and other U.S.-based companies.

The intrusions were thought to be executed by Beijing's infamous “Comment Crew” hacking group – a group of cyber warriors linked to the Chinese People’s Liberation Army (PLA) – into the corporate networks of top Israeli defense technology companies, including Elisra Group, Israel Aerospace Industries, and Rafael Advanced Defense Systems, between 10 October 2011 and 13 August 2012.

The three Israeli defense technology companies were responsible for the development of the “Iron Dome” missile shield. The attackers targeted the three companies through email phishing attacks.

Once the companies' security systems had been breached, they exfiltrated all types of documents, from the emails sent by a CEO to the PowerPoint presentations containing all the necessary information about Iron Dome and other sophisticated ballistic projects.

The Beijing-sponsored hacking group came into light earlier this year when the United States Justice Department in May charged five of its alleged members with with various hacking and espionage offenses. The group allegedly infiltrated United States systems involved in the nuclear power, metals and solar products industries, in order to “steal information that would provide an economic advantage” for Chinese companies.

This serious allegations on the chinese group were detailed by Brian on its blog. CyberESI is not yet prepared to release the report publicly.

Although it is not exactly known that how much data the group was able to obtain, Cyber ESI identified more than 700 documents that were stolen from Israel Aerospace Industries (IAI) only, amounting to 763 Mbs including Word documents and spreadsheets, PDFs, emails, and executable binaries, Krebs reported. The actual number is believed to be much higher.

Comment Crew hacking group maintained hooks inside IAI for four months during the 2012 raid. It stole administrator credentials, planted trojans and keyloggers, and dumped Active Directory data from at least two domains.

Iron Dome is the most-effective and most-tested missile shield which is designed to intercept and destroy short-range rockets and artillery shells fired from distances of 4 kilometres to 70 kilometres away.

Subsidised by the US, the anti-missile programme Iron Dome cost a total of US$1 billion, and has been largely used during the ongoing conflict that has seen militants in Gaza firing some 2,500 rockets at Israel that would have landed in populated areas, hailing Iron Dome as world's most effective missile shield.

In the era of Government surveillance, ensuring the security and safety of our private communications regardless of platform – email, VOIP, message, even cookies stored – should be the top priority of the Internet industry. Some industry came together to offer Encryption as the protection against government surveillance, but some left security holes that may expose your personal data.

A critical issue on Instagram’s Android Application has been disclosed by a security researcher that could allow an attacker to hijack users’ account and successfully access private photos, delete victim's photos, edit comments and also post new images.

Instagram, acquired by Facebook in April 2012 for approximately US$1 billion, is an online mobile photo-sharing, video-sharing and social networking service that enables its users to take pictures and videos, apply digital filters, and share them on a variety of social networking services, such as Facebook, Twitter, Tumblr and Flickr.

USING UNENCRYPTED HTTPS CONNECTION

Instagram’s Android Application communicates with its server over an unencrypted HTTP connection, which is susceptible to tampering by anyone in a position to intercept it, Mazin Ahmed, who discovered the vulnerability explained in a blog post.

“I started using the app on my phone, and monitoring the traffic in the network using WireShark, looking for evidence for unencrypted data that goes through the network or a technique to make this data unencrypted (if it was encrypted),” said Mazin.

INSTAGRAM SESSION HIJACKING

He found that the unencrypted Instagram app communication also vulnerable to session hijacking flaw that can be done using a man-in-the-middle attack, common technique used by attackers to intercept wireless data traffic.

Reusing intercepted HTTP session cookies on another system/browser allows the attacker to hijack the session of the victim's Instagram account.

“As soon as I logged into my account on my phone, Wireshark has captured unencrypted data that goes through HTTP. This data includes: The pictures that the victims watching, The victim's session cookies, the victim's username and ID.”

It is really surprising that the largest social networking giant Facebook ignored such a big issue in its most popular image and video sharing service and failed to take the maximum measure to insure the security of its users.

Mazin, who believes the issue might be getting exploited by the intelligence agencies for the purpose of surveillance, reported the vulnerability to the Facebook on 24th July, but its security team replied: “Facebook accepts the risk of parts of Instagram communicating over HTTP not over HTTPS.”

Facebook has decided to adopt complete HTTPS for its Instagram mobile application in near future but till now it is not clear that how much time it will take.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

A leading provider of advanced threat, security and compliance solutions, Tripwire, has announced that Craig Young, a security researcher from its Vulnerability and Exposure Research Team (VERT), is working on a paper about SSL vulnerabilities that will be presented at DEF CON 22 Wireless Village.

There are thousands of websites over Internet that contain serious mistakes in the way that Secure Sockets Layer and Transport Layer Security (SSL/TLS) is implemented, leaving them vulnerable to man-in-the-middle (MitM) attacks that could compromise sensitive user data such as banking credentials, credit card numbers and other information.

MitM attack is one of the common and favorite techniques of attackers used to intercept wireless data traffic. Cyber criminals could able to intercept sensitive user data, including credit card numbers, PayPal credentials and social network credentials as well.

Young has unearthed various situations where poor SSL implementations in combination with inbuilt weaknesses in the 802.11 WiFi standards result in certain flaws that can be easily exploited by attackers with “devastating real-world consequences”.

Researcher has also created a short video that demonstrates how a Pineapple WiFi can be easily hacked and exploited “to abduct, stalk, spy on or even physically harm unsuspecting victims.”

The WiFi Pineapple, Linux powered and runs the open-source Karma Wi-Fi attack program, is a small self-contained appliance designed to help security researchers conduct penetration testing in an unobtrusive manner. Since 2008, WiFi Pineapple has been serving penetration testers, law enforcement, military and government with a versatile wireless auditing platform for almost any deployment scenario.

In the conference, Young will give explanation on:

A general strategy for confirming that an SSL-based application performs appropriate certificate validation

How to recognize and examine trust manager implementations within a compiled Android APK

Craig Young is an award-winning cyber security expert, who has uncovered multiple router security holes, Google authentication vulnerabilities, and has filed numerous CVEs. He is currently working in a team of expert security researchers at VERT, a team dedicated to ensuring Tripwire customers have the most extensive protection possible.

Just a week back, a data forensic expert and security researcher detailed a number of undocumented features in Apple iOS devices at the Hackers On Planet Earth (HOPE X) conference held in New York on Friday.

The allegation by the researcher that iOS contains a “backdoor” permitting third parties to potentially gain access to large amount of users' personal data, provoked Apple to give a strong response.

Great news for Hackers and Backtrack Linux fans! Offensive Security, the developers of one of the most advance open source operating system for penetration testing known as 'KALI Linux', has finally announced the release of the latest version i.e. Kali Linux 1.0.8.

Kali Linux is based upon Debian Linux distribution designed for digital forensics and penetration testing, including a variety of security/hacking tools. It is developed, maintained and funded by Offensive Security constantly providing users with the latest package updates and security fixes available.

The new release supports Extensible Firmware Interface (EFI) boot that allows you to start Kali Linux 1.0.8 using a USB stick on recent hardware, and especially on Apple Macbooks Air and Retina models.

“This new feature simplifies getting Kali installed and running on more recent hardware which requires EFI as well as various Apple Macbooks Air and Retina models,” reads the blog post.

Although, this time the developers are not releasing any ARM or VMWare images with its new release, but are providing its users a whole array of tool updates and patches that have accumulated over the past couple of months.

“Building on our ever-growing list of such features, we can now happily say that the Kali image is a EFI Bootable ISO Hybrid image that supports Live USB Encrypted Persistence with LUKS Nuke support, out of the box.”

If you already have a Kali Linux installed on your system, you don't need to download the new setup. You can easily upgrade your installation to the latest version of the Kali Linux using the following commands:

The Russian government is offering almost 4 million ruble which is approximately equal to $111,000 to the one who can devise a reliable technology to decrypt data sent over the Tor, an encrypted anonymizing network used by online users in order to hide their activities from law enforcement, government censors, and others.

The Russian Ministry of Internal Affairs (MVD) issued a notice on its official procurement website, originally posted on July 11, under the title "шифр «ТОР (Флот)»" ;which translates as "cipher 'TOR' (Navy)" an open call for Tor-cracking proposals whose winner will be chosen by August 20.

The MIA specifically wants researchers to “study the possibility of obtaining technical information about users and users' equipment on the Tor anonymous network,” according to a translated version of the Russian government’s proposal.

Only Russian nationals and companies are allowed to take part in the competition "in order to ensure the country's defense and security." The participants require to pay a 195,000 ruble (about $5,555) application fee in order to participate in the competition.

Tor, which was actually invented at the U.S. Navy, anonymizes the identity of an online user by encrypting their data and sending it through a unique configuration of nodes known as an onion routing system – making it difficult to trace.

Now in the hands of a nonprofit group, the project continues to receive millions of dollars in funding from the U.S. government every year, but boasts approximately 4 million users worldwide, among them many tech-savvy digital activists in countries where technical censorship and surveillance are prevalent.

Tor has encountered problems in Russia before. Nonetheless, the MVD had previously sought to ban the use of any anonymizing software, though the proposal was dropped last year.

SERIOUS THREAT FOR ACTIVISTS AND WHISTLEBLOWERS
Anonymity, which is of everybody’s interest, specially of activists, journalists, researchers, whistleblowers, who uses Tor anonymity service to hide their activities, are now under great threat from both sides.

In my opinion, announcing a million dollar competition doesn’t provide any government full authority to hack the widely used anonymity network. Such move has put both, Russian and U.S Governments in the same category.

Tor has been the constant target of government intelligence agencies and other entities seeking to unveil the identities of anonymous Internet users. Even the U.S. government intelligence agency NSA and U.K. intelligence GCHQ made multiple attempts and spend significant resources to target users of Tor and to break Tor program’s anonymity as revealed by Global surveillance whistleblower Edward Snowden last year.

Last year, it was revealed that a zero-day vulnerability in Firefox was used to unmask users of the privacy-protecting “hidden services” Tor, which was estimated to be an effort of the FBI in order to crack down on Freedom Host, a Tor server provider, as part of a child pornography case.

A talk at the upcoming Black Hat security conference in August entitled 'You don't have to be the NSA to Break Tor: De-Anonymizing Users on a Budget,' by the researchers from Carnegie Mellon University was abruptly pulled earlier this week, because the materials they would discuss have not been approved for public release by the university or the Software Engineering Institute (SEI).

Just few days ago, Exodus Intelligence reported that its researchers had found a critical zero-day security vulnerability in the privacy and security dedicated Linux-based TAILS, an operating system designed to be booted from a CD or USB stick that uses Tor and other services to hide the identity of the users and leave no trace of their activities on their computer machines. While, the developers with the Tor Project said that they are working on the issues to fix the weakness as soon as possible.

Data security is a big task for businesses as well as a challenge for IT leaders, whether it be securing networks or devices. Past few months, we often came across various data breaches, the largest among all was Target data breach, which cost a business nearly $50,000 in lost productivity, replacement and data recovery.

Once a bad actor has stolen your hardware or compromised your network, the ability to lock down sensitive data is predominant.

To help mitigate these threats in order to protect businesses against data breaches without even damaging performance, Intel has announced its latest enterprise-class solid state drives (SSDs) that are self-encrypting, packaged with some powerful security and management features.

The New Intel SSD 2500 Pro Series of solid state drives offers significant performance with hardware-based 256-bit self-encryption to reduce the impact on the performance.

Intel SSD 2500 Pro Series will be offered in both 2.5-inch SATA and M.2 (60mm and 80mm) “gumstick” form factors for notebooks, tablets and the like, with storage capacities ranging from 120GB to 480GB for the 2.5-inch version and 180GB, 240GB, or 360GB for the M.2 format, the company said.

To secure data on corporate machines, they are also offering policy controls that comply with the Trusted Computing Group's OPAL 2.0 Security standard and Microsoft Windows eDrive compatibility.

"The need to protect assets, keep an eye on the bottom line, and ensure employees have the best tools is a challenge for IT departments," Rob Crooke, corporate vice president and general manager of Intel's Non-Volatile Memory Solutions Group (NSG), said in a statement.
"The Intel SSD Pro 2500 Series is a well-rounded solution to help balance those often competing needs. Adding the Pro 2500 Series to the Intel SSD Professional Family delivers a powerful storage solution to help businesses of all sizes meet their critical IT needs."

In terms of performance, Intel claims to deliver sequential read speeds of up to 540MB/s, sequential write speeds of up to 480MB/s, with random 45K – 80K read / write IOPS. These number of ranges may not quite represent industry-leading performance in comparison to some of those fastest SSDs in the market currently but they're not too crummy either.

Although, hardware-based self-encrypting drives aren't new; Samsung, Sandisk and many companies also offering encryption to protect data without the loss of performance.

Pro 2500 Series drives have "five advance power modes, helping to balance performance and power to enable a longer battery life and provide a better mobile experience," Intel said.

The SSD 2500 Pro drive have expected to have mean time between failures (MTBF) rate of 1.2 million hours and features a world-class annualized failure rate (AFR) well below 1 percent. The Intel SSD Pro 2500 Series is backed by a 5-year limited warranty.

Security researchers from Russian Internet giant Yandex have discovered a new piece of malware that is being used to target Linux and FreeBSD web servers in order to make them a part of the wide botnet, even without the need of any root privileges.

Researchers dubbed the malware as Mayhem, a nasty malware modular that includes a number of payloads to cause malicious things and targets to infect only those machines which are not updated with security patches or less likely to run security software.

So far, researchers have found over 1,400 Linux and FreeBSD servers around the world that have compromised by the malware, with potentially thousands more to come. Most of the compromised machines are located in the USA, Russia, Germany and Canada.

Three security experts, Andrej Kovalev, Konstantin Ostrashkevich and Evgeny Sidorov, who work at Russia-based Internet portal Yandex, discovered the malware targeting *nix servers. They were able to trace transmissions from the infected computers to the two command and control (C&C) servers.

"In the *nix world, autoupdate technologies aren't widely used, especially in comparison with desktops and smartphones. The vast majority of web masters and system administrators have to update their software manually and test that their infrastructure works correctly," the trio wrote in a technical report for Virus Bulletin.

"For ordinary websites, serious maintenance is quite expensive and often webmasters don't have an opportunity to do it. This means it is easy for hackers to find vulnerable web servers and to use such servers in their botnets."

Researchers say that this new type of malware can work under restricted privileges on the systems and has been created by keeping multiple functionality in mind. The malicious attack is conducted via a more sophisticated PHP script, that has a low detection rate with the antivirus engines available.

Communication of the system is established with the command and control servers, which can send the malware different instructions. As we mentioned above that Mayhem is a modular, its functions can be expanded through plugins and at the moment some eight plugins have been discovered, those are listed below:

In case of rfiscan.so, the malware spreads by finding servers hosting websites with a remote file inclusion (RFI) vulnerability that it checks using ‘http://www.google.com/humans.txt’ file. If the HTTP response contains the words ‘we can shake’, then the plugin decides that the website has a remote file inclusion vulnerability.

Once the malware exploits an RFI, or any other weakness mentioned above, and get installed, it will run a PHP script on a victim. The PHP script kills all ‘/usr/bin/host’ processes, check for the system architecture and OS (whether Linux or FreeBSD), and then drops a malicious object identified as ‘libworker.so’.

Meanwhile, the PHP script also defines a variable named ‘AU’, which includes the full URL of the script being executed. It also executes the shell script which is then being executed, then pings its Command-and-Control server.

The malware then creates a hidden file system, known as sd0, and downloads all the above eight plugins, none of which were detected by the VirusTotal malware scanning tool.

Mayhem was first detected in April 2014, and according to the trio, it is a continuation of the “Fort Disco” brute-force campaign that was unearthed by Arbor Networks in 2013.

The Yandex researchers warned people that there may be more plugins in circulation, based on information they discovered on the two detected Command-and-Control servers, including one which specifically exploits the systems that haven’t patched the critical Heartbleed vulnerability in OpenSSL.

A French information security company VUPEN has recently disclosed that it held onto a serious Internet Explorer (IE) vulnerability for at least three years before revealing it at the Pwn2Own hacker competition held in March this year.

According to a disclosure made by the security company last week, the vulnerability with ID CVE-2014-2777 was discovered by the company on 12 February 2011, which was patched by Microsoft last month.

12 February 2011 - IE Zero-day discovered by Vupen.

13 March 2014 - Vupen reported to Microsoft.

11 June 2014 - Microsoft Released patch and publicly released the advisory.

Sandbox is security mechanism used to run an application in a restricted environment. If an attacker is able to exploit the browser in a way that lets him run arbitrary code on the machine, the sandbox would help prevent this code from causing damage to the system. So, if attackers are able to bypass the sandbox mechanism, they could run malicious code on the victim’s machine.

"The vulnerability is caused due to an invalid handling of a sequence of actions aimed to save a file when calling 'ShowSaveFileDialog()', which could be exploited by a sandboxed process to write files to arbitrary locations on the system and bypass IE Protected Mode sandbox," wrote the company.

BAZAR OF ZERO-DAY EXPLOITS

VUPEN’s specialty is in discovering zero-day vulnerabilities in software from major producers in order to sell the exploits to the highest bidder, typically to law enforcement and government intelligence agencies, and HP's Zero Day Initiative.

VUPEN also exploited several targets in March Pwn2Own competition, including Chrome, Adobe Flash and Adobe Reader, and Microsoft's Internet Explorer, taking home $400,000 of the total contest payout.

MICROSOFT ALSO KEPT SOMETHING HIDDEN

Microsoft also kept hidden a critical Zero-Day vulnerability of Internet explorer 8 from all of us, since October 2013, which was a zero day remote code execution flaw that affected the Internet Explorer version 8 and allowed a remote attacker to execute arbitrary code through a bug in CMarkup objects.

Now, the question arises — Does Microsoft keep these critical vulnerability hidden in its browser intentionally? or Does Microsoft not care about the security of its users that its security team left three years old vulnerability undiscovered?

VULNERABILITY ON PLANET MARS

Last month a 20 year-old critical subtle integer overflow vulnerability was discovered in the Lempel-Ziv-Oberhumer (LZO), an extremely efficient data compression algorithm that focuses on decompression speed, which is almost five times faster than zlib and bzip compression algorithms.

The most popular algorithm is used in the Linux kernel, some Samsung Android mobile devices, other embedded devices and several open-source libraries including OpenVPN, MPlayer2, Libav, FFmpeg. It even made its way onto the Mars Curiosity rover.

The users of WordPress, a free and open source blogging tool as well as content management system (CMS), that have a popular unpatched wordPress plugin installed are being cautioned to upgrade their sites immediately.

A serious vulnerability in the WordPress plugin, MailPoet, could essentially allows an attacker to inject any file including malware, defacements and spam, whatever they wanted on the server and that too without any authentication.

MailPoet, formerly known as Wysija Newsletter, is a WordPress plugin with more than 1.7 million downloads that allows developers running WordPress to send newsletters and manage subscribers within the content management system.

In a blog post, the security researcher and CEO of the security firm Sucuri, Daniel Cid, pointed out the vulnerability to be serious and said that within three weeks since the vulnerability unveiled, over 50,000 websites have been remotely exploited by the cybercriminals to install backdoors targeting the vulnerable MailPoet plugin.

Some of those compromised websites don't even run WordPress or don't have MailPoet plugin enabled in it, as the malware can infect any website that resides on the server of a hacked WordPress website, according the researcher.

"The malware code had some bugs: it was breaking many websites, overwriting good files and appending various statements in loops at the end of files," Cid said in a blog post. "All the hacked sites were either using MailPoet or had it installed on another sites within the same shared account -- cross-contamination still matters.”

"To be clear, the MailPoet vulnerability is the entry point, it doesn't mean your website has to have it enabled or that you have it on the website; if it resides on the server, in a neighbouring website, it can still affect your website."

The security firm first reported about the vulnerability on the beginning of this month. The backdoor installed is a very nasty and creates an admin account that gives attackers full administrative control. It also injects backdoor code into all themes and core files.

The worst part with this infection is that the malicious code also overwrites valid files, which are very difficult to recover without a good backup in place. It causes many websites to fall over and display the message:

The Security firm is clarifying that every build of MailPoet is vulnerable except the only version which is the most recent released 2.6.7. So, users are recommended to update it as soon as possible.

Sucuri security firm is very dedicated in finding vulnerabilities in the WordPress CMS and encouraging users to install the updates. A week ago, it urged the users to upgrade WordPress version due to a vulnerability found in the WPtouch WordPress plugin that could potentially allow any non-administrative logged-in user to upload malicious PHP files or backdoors to the target server without any admin privileges.

Sucuri also found two serious vulnerabilities in the popular WordPress SEO plugin called “All in One SEO Pack” and a critical Remote Code Execution (RCE) flaw in “Disqus Comment System” Plugin of Wordpress few weeks before.

The critical zero-day security flaws, discovered in the privacy and security dedicated Linux-based Tails operating system by the researcher at Exodus Intelligence that could help attackers or law enforcements to de-anonymize anyone’s identity, actually lie in the I2P software that’s bundled with the Operating System.

Exodus Intelligence has released some details and a video evidence that demonstrate an exploit against the found vulnerability unmasking an anonymous user of the Tails operating system.

The researchers at Exodus claims they can use the vulnerability to upload malicious code to a system running Tails, execute the payload remotely, and de-anonymize the targeted users’ public IP address as well.

Tails is a security-focused Debian-based Linux distribution and a suite of applications that can be carried on a USB stick, an SD card or a DVD. It keeps users’ communications private by running all connectivity through Tor, the network that routes traffic through various layers of servers and encrypts data.

Meanwhile, Exodus claimed that the privacy-oriented operating system has a number of flaws for which there is no available patches. The company that itself sell zero-day exploits to its clients, including the US agencies and DARPA.

But in this case, Exodus alerted I2P as well as Tails to the problem and said it would not disclose the details to users until the problem has been fixed.

Providing the details about the flaw, the company says that the actual problem lies in the heavily encrypted networking program called the Invisible Internet Project (I2P). The network layer that Tails uses to hide the user's public IP address from other websites and servers in order to keep the user anonymous on the web.

The researchers claims to have found a zero-day vulnerability in the way I2P handles network traffic that can be exploited with the help of a specially configured server.

Even after a user has taken all the steps necessary to disassociate his or her public IP address from the outside world, the flaw could allow an attacker to track down user’s identity. But the problem doesn’t end here, the worst part is that the de-anonymising is achieved by transferring a payload of code to an I2P user and then executing it remotely to cause a massive damage.

"I2P currently boasts about 30,000 active peers. Since I2P has been bundled with Tails since version 0.7, Tails is by far the most widely adopted I2P usage," Exodus explained in a blog post revealing the flaw. "The I2P vulnerability works on default, fully patched installation of Tails. No settings or configurations need to be changed for the exploit to work."

The Exodus Intelligence security researchers will released more technical details on the hack once the bug get fixed. Exodus Intelligence is working with the Tails and I2P coders to get the patch soon and after that it won't charge any fees for disclosing the flaw with more bugs.

"We hope to break the mold of unconditional trust in a platform. Users should question the tools they use, they should go even further to understand the underlying mechanisms that interlock to grant them security," reads the blog post.

"It’s not enough to have faith upon security, rather to have an understanding of it. If the public thinks Exodus is one of a few entities finding bugs in software, they are grossly misinformed."

So far, the number of affected Tails users is not known. The video demonstration of an attack on a Tails system by Exodus can be found here.

This news revelation must be of great concern to the Invisible.im, an anonymous Instant Messenger (IM) offers secure and anonymous service, which is still in its early stages of development and not yet available for download, is looking forward to use the same I2P anonymity network.